Archive for July, 2007

Adobe now offers a yum repository for automatic upgrades

2007-07-13

Bottom line: you can now automatically upgrade flash plugin (but not adobe reader) whenever yum -y update gets run.

If you want, look at Adobe’s instructions (click on the “yum” option), but they don’t tell you much about what gets installed where, and they don’t give the md5sum, sha1sum, or the gpg key fingerprint.

Archimerged knows it’s immoral to do this (sorry Richard, we all have our faults), and maybe he’ll get annoyed enough (with the advertisements and restrictions Adobe forces on him) to switch to gnash and never use reader, but seeing as he is neither virtuous nor annoyed enough to switch, he downloaded adobe-release-1.0-0.noarch.rpm into a directory by itself. Being naturally suspicious, he ran
rpm -qlp *.rpm
/etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
/etc/yum.repos.d/adobe-linux.repo
to see what installing it would do. He also recorded the checksums so you can see if you got the same file Ark did. (Adobe ought to publish these).
md5sum *.rpm
e7fc18fa7e15e75be00814d2d4394634 [...]rpm
sha1sum *.rpm
26801152f27f01038fe1fd9f91df5faa44f2393b [...]rpm
If you get a different result, please reply here. Next:
rpm -Uvh *.rpm
After the GPG key is unpacked, import it to see the fingerprint. Adobe ought to sign this key but last time Ark looked even Red Hat didn’t sign the keys in /etc/pki/rpm-gpg/.
gpg --import /etc/pki/rpm-gpg/*adobe*
gpg: key F6777C67: public key "Adobe Systems [...]" imported
gpg --fingerprint ff677c67
pub 1024D/F6777C67 2007-02-28
Key fingerprint = 78A8 75E9 7F09 06BD 6355 73FA 3A69 BD24 F677 7C67
uid Adobe Systems Incorporated (Linux RPM Signing Key)
sub 2048g/7EB7D08B 2007-02-28

Then,
yum -y install flash-plugin
and it is mostly done. To check what got installed, Ark thinks there might be a yum command, but he knows the rpm command, which is
rpm -ql flash-plugin.
The results are
/usr/lib/flash-plugin
/usr/lib/flash-plugin/LICENSE
/usr/lib/flash-plugin/README
/usr/lib/flash-plugin/homecleanup
/usr/lib/flash-plugin/libflashplayer.so
/usr/lib/flash-plugin/setup
/usr/share/doc/flash-plugin-9.0.48.0
/usr/share/doc/flash-plugin-9.0.48.0/readme.txt

Finally, Ark looked at homecleanup and ran it with --delete. It deleted some old flash plugins installed in home directories.

Adobe doesn’t provide any authentication on the adobe-release RPM, but actually Ark seriously doubts that his download was compromised. If a few other people report the same checksums and key fingerprints, it will be certain.

Advertisements